itlawwikiaorg-20200214-history
Exceeds authorized access
Definition Exceeds authorized access is defined in the Computer Fraud and Abuse Act (CFAA) to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."18 U.S.C. §1030(e)(6). Overview The legislative history of the CFAA reflects an expectation by Congress that persons who exceed authorized access are likely to be insiders, whereas persons who act without authorization are likely to be outsiders. According to this view, users who exceed authorized access have at least some authority to access the computer system. As a result, Congress restricted the circumstances under which an insider — a user with authorized access — could be held liable for violating Section 1030. Such users are therefore subject to criminal liability under more narrow circumstances. The offenses that can be charged based on exceeding authorized access are limited to those set forth in subsections (a)(1), (a)(2), and (a)(4). Further, "insiders, who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage."See S. Rep. No. 99-432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479; see also S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169. The scope of any authorization hinges upon the facts of each case. Where the case involves exceeding authorized access, establishing the scope of authorized access may be difficult. The extent of authorization may turn upon the contents of an employment agreement or similar document, a terms of service notice, or a log-on banner outlining the permissible purposes for accessing a computer or computer network. See Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435 (N.D. Tex. 2004)(full-text) (user agreement); EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003)(full-text) (various site notices); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) (terms of use notice); America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998)(full-text) (terms of service agreement); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001)(full-text) (employee confidentiality agreement). In one case, however, an insider (a person with some limited authorization to use a system) strayed so far beyond the bounds of his authorization that the court treated him as having acted without authorization.See United States v. Morris, 928 F.2d 504 (2d Cir. 1991)(full-text). Gauging whether an individual has exceeded authorized access based upon whether the defendant used the technological features of the computer system as "reasonably expected" was criticized by one court as too vague an approach. EF Cultural Travel v. Zefer, 318 F.3d at 63 (in a civil case under §1030(a)(4), involving whether use of a web scraper exceeded authorized access, the court rejected inferring "reasonable expectations" test in favor of express language on the part of the plaintiff). Typically, however, persons who are employees or licensees of the entity whose computer they used are held liable for exceeding authorized access as opposed to unauthorized access.See EF Cultural Travel v. Explorica, 274 F.3d at 582-84 (holding that a former employee who violated a confidentiality agreement by providing information about accessing a protected computer system could be liable for exceeding authorized access). In SecureInfo Corp. v. Telos Corp.,''387 F.Supp.2d 593 (E.D. Va. 2005)(full-text). the court dismissed a claim that defendants, who gained access to a protected computer due to breach of a software license by a licensee, either exceeded authorized access or gained unauthorized access. The court believed that the licensee had given the defendants authority to use the computer system, which undercut the plaintiff's unauthorized use claim.''Id. at 608-09. Moreover, since it was the licensee and not the defendants who agreed to the terms of the license, the defendants were not bound to the use limitations, and therefore, had not exceeded authorized access.Id. at 609-10. The court noted, however, that had the licensee — as opposed to the persons who gained access to the system via the licensee — been sued for exceeding authorized use, they may have been found liable under theory set forth in EF Cultural Travel v. Zefer.Id. at 609 (citing EF Cultural Travel v. Explorica, 274 F.3d at 582). The SecureInfo decision could arguably be read to support the proposition that users who are granted access to a system by an authorized user cannot be found liable under either an unauthorized use or an in excess of authorization theory. Presumably, however, had the third parties used their authorized access to obtain information unavailable to even licensed users, the court would have held them liable. However, the decision can also be read for the proposition that courts may be reluctant to predicate civil liability, much less criminal liability, under the CFAA solely upon a violation of a software licensing agreement. References Category:CFAA Category:Legislation Category:Legislation-U.S.-Federal Category:Legislation-U.S.-Criminal Category:Computer crime Category:Definition